Jack Rhysider (3:18)

Have at their disposal.

Sponsor/Advertisement Voice (3:19)

Spy Cloud's New Identity Threat Report reveals that nearly half of all corporate users have been infected by Infostealer malware at Some point. With 63.8 billion distinct identity records now circulating on the dark web, the scale.

Jack Rhysider (3:34)

Of this threat is staggering.

Sponsor/Advertisement Voice (3:35)

What's even more alarming is that only 38% of organizations can actually detect these historical identity exposures that create ongoing risk. Knowing what's putting you and your organization at risk, from stolen credentials to session cookies to PII is critical for protecting against identity based threats like account takeover, session hijacking, and yes, even ransomware. With Spy Cloud, you're never in the dark about your company's exposure from third party breaches, successful phishes or infosteeler infections. Read the full report and check your darknet exposure for free@spycloud.com darknetaries that's spycloud.com darknetdiaries this episode is sponsored by Deleteme. Deleteme makes it easy, quick and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable. Deleteme does all the hard work of wiping you and your family's personal information from data brokers websites and then continues to monitor and remove personal information that you don't want on the web. Plus, the New York Times Wirecutter has named Delete Me their top pick for data removal services. Privacy is super important topic to me so a few years ago I signed up and Delete Me immediately got busy scouring the Internet from my name and gave me reports on what they found. Then they got busy deleting things and it's great to have someone on my team when it comes to my privacy. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for my listeners. Get 20% off your delete Me plan when you go to join DeleteMe.com darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to join DeleteMe.com darkNetdiaries and enter code DD20 at checkout. That's join DeleteMe.com darknetdIaries code DD20.

Jack Rhysider (5:28)

His dad recognized that Hugh was really into computers and Ho Chi Minh City is a big city that has better schools to learn computers and so Hugh got enrolled in classes and started started studying. His parents would check in with him to make sure he was doing his schoolwork.

Hugh Mingo (5:41)

I was learning a lot. I was learning about like web programming. I built my first website, upc.com, i.

Jack Rhysider (5:49)

Remember he was learning about operating systems, networking and cybersecurity, all at high school. He really loved computers and was hooked on learning more.

Hugh Mingo (5:58)

I went to the Internet cafe, you know, to use the Internet, because Internet at my house is very slow. So I went to the Internet cafe and the moment, you know, I been there, I passed to one of the computer screen and I saw that computer screen. The color is very dark, you know, some kind of dark background and the font size is very wet. And also like the, the color of the text is also like look cool, you know, like green color and stuff like that. And I asked the guy, you know, what's this forum about? And then he told me, you know, this is about the dark web in Vietnam.

Jack Rhysider (6:48)

Ooh, Vietnam's dark web. That sounds interesting.

Interviewer (6:53)

You ready to go there?

Jack Rhysider (6:55)

Hugh was fascinated by it. He learned how to access it, where to go. For him, it was like finding a whole hidden place online filled with really fascinating stuff. Hacker forums, forbidden item marketplaces. It really emphasized the power of the Internet. This was all unregulated. The government, the police, they can't stop what goes on on the dark web. And that really fascinated him. And there's this whole section of the Internet where anything goes.

Hugh Mingo (7:23)

They're talking about hacking. They're talking about, you know, like sharing sensitive information and also like bank account and also some hacking techniques too, you know, like. And it got me, you know, wondering how they did that.

Interviewer (7:40)

Yeah, but so I think maybe a normal person would look at that and say, wow, there's stolen stuff here. There's illegal things here. Maybe this isn't for me. Maybe I should go back to the clear web.

Hugh Mingo (7:53)

Right? That's true. What, you know why? Because back then, right, Undercrowd forums, very fun though. They always sharing and they don't mind about money. Like they, sometimes they hack something, they just post it for free for everybody. Not really like into business or trading or doing anything. It's just like sharing techniques, you know. But you know, like, when I got into that, I say, man, you know, it's something that, you know, I really wondering, I watch on the movie and TV about like hackers. Very cool. That's why, you know, I say, yeah, I want to learn that, you know, I want to be a member in that hacking forums, underground hacking forums.

Jack Rhysider (8:43)

So this became his obsession. How to hack. What are the techniques? Like he would learn about a vulnerability and then use Google search queries to find websites that were vulnerable. And it was like the whole Internet opened up to him in new ways. He was finding that thousands of websites are vulnerable to a variety of different attacks. He was just getting into one after another with simple techniques like default passwords and SQL injection. But the extent of the damage he was doing was he's just hacked into the site and put something on the website that said pwned by Hugh PC, which is the name he was using at the time and also the name of the website that he made as a teenager. But the whole time he was just curious, not using his access to make any money or stealing anything. He just liked learning and like the excitement you get from getting into places that you're not supposed to be in. It made him feel clever and smart and powerful and he was teaching others how to do it. After all, he was still in high school.

Hugh Mingo (9:38)

I share a lot of hacking techniques and that also like social engineering techniques. But the thing is, you know, the more I say, the more the people, they know about me on these underground hacking forums. And eventually they voted me as an administrator in one of these forums. Very popular in Vietnam. And after that, you know, I joined a few, a few forums in Russia and even like in the Eastern Europe as well too. So I keep learning, but the thing went really market money, you know, before that it's just sharing for free, sharing the knowledge, sharing the techniques.

Jack Rhysider (10:30)

From posting on the forums and being an administrator to one of them, he started becoming more known. And so he met a guy, one of the forum users, and this guy's like, hey, listen up Hugh, your ability to hack into websites is actually worth a lot of money. Do you want to team up? You want to hack places and give me what you find and then I'll pay you for it. The guy explained how together they can make all this money. And Hugh didn't have much money at the time. I was interested.

Hugh Mingo (10:57)

And you know, like when talking about money, when was very young, I say, man, you know, like I saw the people making a lot of money too, buying, you know, by using like stolen identity and red account and you know, like to make some money and be able to buy some stuff. It's very cool, right? You know, like some technology stuff or some new devices, something cool for myself without asking my parents. So that's why, you know, I say yeah, okay, let's, so let's do it. And then the guy, he moved to my apartment living with me. And then I, you know, during the nighttime after the school, I started to hack a lot of e commercial website.

Jack Rhysider (11:55)

E commerce sites, like places you Go to buy things online like clothes or computers, kitchen items, travel tickets. A lot of these sites back then ran on WordPress or PHP or ASP and didn't have the best security. And it's kind of like a numbers game, right? If there are million e commerce websites on the Internet and 1% of them has poor security, that's 10,000 websites that are just sitting there vulnerable. Way more than enough for someone like you to go through. So the idea was to get into these sites and plant a listener that would capture when someone would enter their credit card to buy something on there. And then Hugh would give those credit card details to this guy he's teamed up with and the guy will somehow convert the cash for both of them. Hugh was 17 at the time, a senior in high school. And so after school and on the weekends Hugh and this guy would get busy scouring the Internet for a vulnerable.

Hugh Mingo (12:50)

Site to hit back Then there are lots of website, right? They use like the language called PHP or asp. It contains a lot of vulnerabilities. And then I search on Google with those keyword, you know some of the Google Doc that to be able to find out for me on the list of the website and I put on the customized tool that I programmed and then I just click scanning and it just kind of automatic scanning for the vulnerabilities and then it will give me the list of the vulnerable website and then I will exploit it to be able to obtain the red account information.

Interviewer (13:43)

And what was the first site that you made money from?

Hugh Mingo (13:47)

Is. I remember it's located in the uk, right? This website is still very popular nowadays in the uk but I don't want to mention that.

Interviewer (14:00)

That's fine. But yeah, what kind of site is it? Is it banking? Is it a.

Hugh Mingo (14:03)

No, that's that's website is e commercial website selling like electronic stuff. And in that website it got single injection vulnerability.

Interviewer (14:15)

So you found a website through Google Dorking and your scans, you tested it for SQL Injection, it worked. And what is that feeling like to get into a website using SQL Injection?

Hugh Mingo (14:26)

It's got like a gold mine. I say wow, you know, like this is so many credit card information like a day. I man so excited though. Like the feeling is kind of like you control something, you have a power, you feel like you'll be able to plug into anything if you have time and you have the resource and you feel like you're on top of the world. You know you can be able to get anything. And I feel like so excited like the it's hard to say to, to, to explain that, but feel like so happy technically. So happy though.

Interviewer (15:14)

Like, do you give each other a high five or I, I, me and.

Hugh Mingo (15:19)

Him, we give high five and hugging. I say, yeah, we did it. We, we got it. And, and, and I think, you know, we will be able to make a lot of money from this. Not just selling the information, but also like using that. And he's so excited. And we was laughing the whole night, I remember. And we was very young back then. He was like 18 and I was like 17. And he said, yes, let's do this way. We use all the red confirmation, right? Every day we was getting like slowly around like 50 to 100 credit cards from that website alone. And we was playing on the poker website.

Jack Rhysider (16:09)

Of course. They took the stolen credit cards to a gambling website. I should have guessed. No, they weren't actually gambling with it. What they were using this poker website for was to launder the money. See, back in the late 2000s, online poker casinos didn't always have the most strict security and verification controls. They were happy to take anyone's money whether it was stolen or not. So he created an account at the casino, loaded it up with as much stolen money as he could, and he might make three or four of those kind of accounts. And then he would have all those accounts join a poker table where his buddy was in and just try to lose as many hands as possible as he could to his buddy. Then his buddy would get all the chips and cash them out at the local bank. This technique is called chip dumping. Now the casino was aware of these sort of things. It would try to spot people doing this. So he had to do things to avoid the fraud detection. And his tricks were working.

Hugh Mingo (17:02)

And we was able to marking like a day, like thousand and thousand USD a day, and then we split the money like 50, 50. I, you know, I spend on like, I used that money to spend on stupid stuff. Vacation and also like taking girls out and you know, like easy money, easy go, technically.

Jack Rhysider (17:27)

Can you imagine that setup? A hacked website is supplying them with a constant stream of 80 new credit cards a day. And they'd take those cards, deposit the money into a casino, move the chips to another player, cash it out, and then go spend that money on something fun. Like where do you even focus here? Do you want to get more credit cards or cash out more at the casino or just enjoy a good time with all the money you have? For them, it was all of that. They wanted more cards and then they'd be busy trying to drain them all as fast as they could to launder the money. But as Hugh found more and more sites vulnerable to his attacks, he was sometimes stumbling upon whole databases of customer credit card details. Websites shouldn't be storing their customer credit card details like that. And this was even a surprise to him. But this meant sometimes he could find thousands of credit cards in a single day.

Hugh Mingo (18:16)

Eventually, I went back on the underground hacking forums. I sell the information. Visa and MasterCard, I sell for like 50 cent for one information. And American Express and Discover, Discover Car, I sell for from $1 to $3.

Interviewer (18:39)

You know, that sounds so cheap. So you're telling me the full credit card information was you were selling that, and the people could take that credit card and. And buy something for a few hundred dollars with that? Right, Right.

Hugh Mingo (18:52)

That's true. They can go on ebay and buy. Or they either they, you know, back then. Very easy, though. You can just use the stolen account, stolen bank account, or stolen credit card information. You deboss it into PayPal and then you withdraw. It's so easy. It just take a few days and few weeks to be able to get the real money out.

Interviewer (19:19)

I'm surprised you were selling it so cheap, though.

Hugh Mingo (19:21)

Very cheap, though, because so many, so much information.

Jack Rhysider (19:25)

That's crazy cheap. Usually cards are like, I don't know, 10 to $50 per card, because theoretically each card should be worth a few hundred dollars before fraud detection kicks in to make the card invalid. So rarely I'll see them for like $5 or less, but 50 cents a card.

Hugh Mingo (19:41)

Wow.

Jack Rhysider (19:42)

And that's what he was selling them for because he just had so many. Because he just kept finding more and more e commerce sites that were vulnerable to SQL injection, which means the website's form field wasn't as secure as it should be. Right. So he can go and type something onto a form field in a website and that triggers the vulnerability, and suddenly he can see, like, whatever's in the database, like an admin's password hash. And then he could crack that password hash and log into the site as the admin. And sometimes that alone would give him credit card details to the site. Because some sites did not treat their customer credit card data properly.

Hugh Mingo (20:17)

It show everything on the admin panel. You just click on the customer option, right? It show you the list of customer, and when you click on the record information, it pop out red card information.

Jack Rhysider (20:33)

I mean, when I hear that, I immediately think that's a PCI violation. PCI is payment card industry. And for you to be able to accept credit cards for your business, the credit card company has to verify that you're properly storing customer credit card data. If you aren't, then you will lose the ability to process transactions and can be fined quite severely. So Hugh kept focusing on finding more and more sites to hack into and take all the customer credit cards that the site would store in their database. And he spent years doing this, mostly selling the cards in bulk on the dark web. He was finding and selling tons of.

Hugh Mingo (21:06)

Credit cards, more than 100,000 record information.

Jack Rhysider (21:16)

He gets done with high school and decides he's had enough of this. His pockets were overflowing with cash and he knew what he was doing was wrong. So he decided to leave town.

Hugh Mingo (21:26)

And then, you know, I saved up some money because I know this couldn't last long. We was making like more than a year. And it kind of getting harder because they know the chicks, right and they fish the Bernare beauties. So getting harder. And I saved up some money. I paid for the school fee in New Zealand.

Jack Rhysider (21:50)

His sister was living in New Zealand, so he decided to go see her and go to school there. He knew that what he was doing was wrong and could potentially get him arrested. But he grappled with it like he went back and forth, convincing himself it's okay to take these cards. Like these websites should secure their site better. And if it wasn't him taking it, then it would surely be someone else taking it, so why not me? But then flipping it and being like, no, this is stealing, this is illegal, I'll get in trouble for this. The move to New Zealand gave him a fresh start. He wanted to become a good student who was learning computer science.

Hugh Mingo (22:25)

When I got into New Zealand, I stayed there for a few months, not doing anything illegal, try to be a good student at the school, learning about computer networking and be a computer scientist, you know. But things couldn't work out. I started to hacking again after talking with a few fans, a few hackers on the Internet and they say, you know, they need red call and you know, and I need money because my family couldn't afford to send me much money. So I say yes. So let me find out if in New Zealand have some website that I can obtain the rental information. And I hacked into a few e commercial website in New Zealand, yeah, the same thing, you know, it's just some bases, vulnerabilities. And I got into the database and I got the stolen record.

Jack Rhysider (23:31)

He was able to sell the credit card data to make some money, but with all these Cards. He decided to use a few himself, which was probably a dumb idea.

Hugh Mingo (23:40)

And I use those stolen credit confirmation to buy electronic stuff like laptop and cell phone on similar, like ebay, they call it TradeMe platform. I use this, I use the stolen record on that website and then I got the stuff and then I sell that to the same platform to make money, kind of learn with the stuff, you know, like to, to get a real cash. But eventually, you know, I made a mistake that used in the stolen record to buy the music concert tickets to the Ticketmaster. And I bought a thousand and thousand music concert tickets to sell to other people with a cheaper price. And then when you bought a thousand.

Interviewer (24:38)

Concert tickets, right, I bought a lot. Wow.

Hugh Mingo (24:42)

And I resell that to other people on the platform. But the thing you know, like a few of the people, they bought my music concert ticket, they got problem when they tried to enter the stadium or try to enter the concert, right? They got denied because this ticket, you know, is got invalid because it's kind of considered as a fraudulent ticket. And they got so mad and they got so scared. And then they also complained to the law enforcement, to the police in New Zealand. So the police in New Zealand, they feed my account on the platform and also feed my bank account. So I got so scared, they also called me and called my sister. Almost a year stayed in New Zealand. I got into Chobo and the moment I got that phone call from the law enforcement, I got so scared. I bought the ticket, I ran away. I ran back to Vietnam.

Jack Rhysider (25:49)

Oh boy. Hugh was on the run. The police were now looking for him. But he was able to get away and find refuge in Ho Chi Minh City. In Vietnam, he escaped the police and didn't suffer any consequences from this lucky break. We're going to take a quick ad break here, but stay with us because this is not going to be the last time that the police go looking for him. His operation is about to go stratospheric.

Sponsor/Advertisement Voice (26:18)

This episode is sponsored by Thales Tallis.

Jack Rhysider (26:21)

Knows cybersecurity can be tough and that you can't protect everything. But with Thales you, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. With Thales, you can get better visibility of risks, stop threats, close compliance gaps and deliver trusted digital services to customers. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identities. Learn more@talasgroup.com Cyber that's Talas, spelled T H A L E S thalesgroup.com Cyber Hugh gets back to Vietnam. He's around 20 years old at this point. He goes to see his mother and his father and they heard about his fraudulent concert ticket thing and they were mad. They scolded him, they shamed him, and he was just lying back to them.

Hugh Mingo (27:20)

I gave them all the phone promises, you know, I told them, you know, I will be a good boy and will be a better person not doing anything illegal. It kind of feel like very ashamed, you know. So my mom was crying a lot, but back then I was like 20 years old, 19 years old, tried to be a good person. I didn't touch the computer within six months when they got back from New Zealand. And I told my mom, you know, I want to go to Ho Chi Minh City to learn computer science at the university in Ho Chi Minh City. My mom and my dad, you know, they kind of believe me that I'm kind of a trans person. And hopefully this time will be the last change for me.

Jack Rhysider (28:17)

So around 2009, he moved to Ho Chi Minh City and enrolled in the computer science and cybersecurity program at the university.

Hugh Mingo (28:24)

But during that first year, I went to kind of to hang out with other old school hackers in Vietnam. They own black hat hackers they heard about, you know, I got problem. I got Choppo in New Zealand. By using stolen record. I say yes, you know, that's why I don't want to touch computer anymore. I got so scared, I almost got caught. And they told me, you know, why you don't think about US Identity or personal information? It should be safer. It should be easy to sell that.

Jack Rhysider (29:03)

So these hackers were telling him, yeah, of course you got in trouble for stealing stolen credit cards, man. Don't mess with money. The police are going to get mad if you do that. That was your m. They take credit card theft very seriously. Heck, I bet the US Secret Service probably has a case opened on you. What you should have done is gone into the business of stealing the identities of US citizens and sell that. Not only can you make money doing that, but the Secret Service doesn't give a crap about stolen identities. In fact, nobody does. They'll never come after you for stealing identities, especially if you stay here in Vietnam. They can't touch you, so you should try stealing US Identities. So he starts looking into it. My goodness, he thinks they're right. Stealing identities and selling that is far less of a crime than Stealing credit cards and just as valuable on the dark web. He wasn't sure why it was valuable. But if he could get all the personal details of someone like their address, Social Security number, phone number, work history, the type of car they have, then people will buy that up like crazy on the dark web. So he starts looking around for places that might have all this information on US citizens.

Hugh Mingo (30:08)

I didn't think Kale in the long term, I just see whatever I see in front of me and the money blind my eyes. And I thought, as should be safer and I'm in Vietnam and this is US identity subefi.

Jack Rhysider (30:31)

I mean the logic checks out, right? Stealing identities of people in a far, far away country. No chance of them catching him in Vietnam.

Interviewer (30:38)

Right.

Hugh Mingo (30:39)

And eventually I spent like almost a month I recon and also doing a lot of ocean to get me a list of only data broker in the US to be able to provide this data.

Jack Rhysider (30:59)

Data brokers, of course, they would absolutely have a ton of people's identities. Okay, so if you don't know, a data broker is a company that spends an enormous amount of effort gathering up as much information as they can about you. Here's how they do it. Number one, they'll copy the whole phone book into their database that's got everyone's name and phone number. Then they'll take a copy of all the county records. This includes who owns which property, court records, marital status. Then they'll look at your social media account and scoop up any photos that you have taken of yourself and posted email addresses. You list affiliations like which school you went to or place you work. LinkedIn is being scraped by data brokers all day, which you personally have told what your skills are, who your co workers are, where you work and what you look like. Now, to me, that's already spooky enough that someone would go through all this trouble to get all this data on me by doing all that. But some data brokers go far deeper and are way more sinister at getting data on us. They have been known to install trackers on your phone, which typically just comes along for the ride on popular apps. Like a data broker may pay an app developer to put a tracking pixel on the app so that they can track people even more. This means data broker is often collecting cell phone data, which could include your phone number, the app usage, but more interestingly, up to the minute location information. Some data brokers go even further and set up antennas around town and watch what phones interact with those antennas and they can track your phone's location that way. Some have been known to put little sensors on roads to identify which cars have passed down that road and take pictures of license plates going by, too. Of course, purchasing history is important to them. I've heard stories of data brokers buying your purchase history data from retail stores. And if you don't know, a lot of retail stores are very closely tracking all the purchases you make with your credit card and have a complete history of everything you've ever bought with that card in their store. Sometimes they even track where you are in the store and what you stop to look at to see what interests you. And yes, absolutely, data brokers are buying up all this data that the stores are collecting on you because this consumer behavior is worth gold to these data brokers. So why do these data brokers do this? Why do they go to such great lengths to build databases on us? Because there's a lot of people who are willing to buy this data. Your data is very valuable, and I'm not talking about selling it on the dark web. We'll get to that. Data brokers often sell their data to law enforcement, and this has been a growing problem over time. I feel like law enforcement has found a loophole to ignore the fourth Amendment. As a refresher, the fourth amendment says you have a right to privacy from the government. The government should not be able to see into your life without a warrant or probable cause. But they are, through data brokers. There's something called a third party doctrine now which says if you give your data to a third party, you no longer have a reasonable expectation of privacy from that data. So that means if you have money in the bank, the bank can share your data with the government without a warrant. And law enforcement can purchase your location data from a data broker without a warrant because it's commercially available data. Data brokers are trying to ruin the fourth Amendment. And I want you to look a little closer at where this data is coming from. Yes, a lot of it is publicly sourced, but a lot is not. A lot of this data that you think is just private between you and the party you trusted your data with. But they're selling that data to others. And so if you think it's safe and secure, but it's secretly being scraped and sold, I would say that's spying on you, which the government isn't allowed to spy on its own citizens. I mean, mass surveillance is against the law, flat out. But they can get away with it because data brokers are the ones doing the spying and the mass surveillance, not the government, and then they're selling it to the government. Now I've tried to remove my digital footprint as much as possible, but there are still things that I'm forced to do which hurts my privacy and I hate it. Like for instance, anytime I see a doctor, I can't do it under a fake name. They have a strict policy where I have to prove my identity in order to get medical treatment. And then my medical records are being passed around to millions of people. HIPAA isn't there to protect our privacy. It's there to assist others to get our data. The portability part of it means they're making it easy to package up our data and send it to whoever asks for it. And there are millions of people and entities that can access HIPAA and patient data. Second is banks. There are laws in place where the banks have to verify who you are before they do business with, you know, your customer type stuff. And the banks are forced to report certain activity to the government. So millions of customers, banking data is going to the government again without a warrant. Lastly, I hate all this public record stuff. If I buy a house, get married, go to court, start a business, get arrested, all that is public record. And it gets abused all day, every day because it is, I have no choice when it comes to these matters. My banking history, medical information, marital status, there's no way to opt out of any of it. And data brokers are just licking their lips, sucking it up as fast as they can, and they're profiting off of it and they're using it to strip away my rights. But don't think it stops there. Data brokers are just companies trying to make money. So they have no problem selling your data to Walmart, Facebook, Google, insurance companies, credit card agencies, ad agencies. Because all these businesses would love to know more about who you are so that they can target you with ads or to calculate the risk of doing business with you. And these data brokers absolutely do not want you to know they exist. They do a great job at hiding their presence in the world. Let me give you an example. I'm going to list eight of them for you. And I bet you've never heard of any of these companies yet. There's a high chance that all of them know exactly what you're doing right now. Merkle Locate plus, Liveramp Micro Built, Ventel, Safegraph, X Mode, Social Court Ventures. I certainly don't know anything about these companies, but Hugh was learning a lot about them.

Hugh Mingo (37:41)

And I found out right there are a few key players in this data business related to like us and they provide his data to law enforcement, to lawyers, to private investigator, stuff like that. And I see man, it kind of very difficult to get this information. You have to prove yourself, you have to being verified. So that's why I boot a lot of time, like almost a month. And I hacked into two different data broker, very popular one. The first one is this Locate Plus.

Jack Rhysider (38:28)

Locate plus is a data broker that markets itself to people doing background checks and investigations. They get their data from criminal records, property records, the phone book, and also gather Social Security numbers and date of birth.

Hugh Mingo (38:43)

The first one I hacked into is the Locate plus and the second one is the micro build.

Jack Rhysider (38:53)

Microbuild collects data on US citizens which includes criminal history, employment history, address history and Social Security numbers. They also keep records of your utility payments, rent payments, loan payments and stuff like that to see if you pay your bills on time. The big credit bureaus use this one like Experian and Equifax because your credit score is a reflection of how well you pay your bills. But not only that, landlords use microbilt, employers do background checks on it, and lenders look to see how much of a risk you are before doing business with you.

Hugh Mingo (39:26)

So the two companies, LocatePlus and MicroBuild, I hacked them a few times. First single injection. The second one defined upload vulnerabilities and the third one, cross site scripting. When I got into their database, right, I steal the customer logins of their lifeform and then I use that to be able to log it into the platform and make a queries.

Jack Rhysider (39:58)

Okay, interesting. He didn't get into the main data broker database. Instead he was just able to get into the web portal side of things which had user accounts and that's the people who used the site to do background checks and lookups with. He was able to steal some of their logins. So now he could log into the site and use it as if he was a lawyer or a cop or an investigator who's been vetted by the site to look up anyone's data.

Hugh Mingo (40:26)

I can search your name, the state that you've been living or the city you live in, and that's all. If we pop out the possible people identity related to that name and in that city and you can get the Social Security number rivalization on the previous 10 years, addresses that you've been living, even the current one. And also you will obtain your relatives, your family members. Right? You can also get the information.

Jack Rhysider (41:01)

Now these sites charge for their service. It's often a pay per search kind of thing. So when he would search, it would go to someone else's bill. And he thought if he did a lot of searches on one user, then their bill would go way up and then they'd investigate what's going on here and they would find out that he's been using their account and they would shut it down. So he would cycle through all the accounts he had to spread out his activity.

Hugh Mingo (41:25)

I remember I was using more than 5,000 accounts on MITRE build alone.

Jack Rhysider (41:35)

So with his access, he could look anyone up and get their full name, maiden name, phone number, email address, where they live, address history, Social Security number, driver's license, where they work, work history, and the VIN number for their car. He decides to build a website to charge users to be able to look.

Hugh Mingo (41:56)

Up people in this database because so much information. Then I build a website and then I. To that website I sell to all the cybercriminals around the world for like $1 for one search. Kind of like $1 for one information, one identification.

Jack Rhysider (42:17)

The first week of him launching this website, he made $5,000 from people doing searches on it. It was an instant hit. He wasn't sure why people were using his site to search for other people, but he didn't care. He just saw the money coming in and was like, yeah. And interestingly, this was the early days and crypto wasn't really adopted so well yet. So he wasn't accepting that.

Hugh Mingo (42:39)

Back then, I didn't use Bitcoin. We used Liberty Reserve.

Jack Rhysider (42:43)

Liberty Reserve was sort of like a PayPal in the way that you could send money to someone online, except they didn't do much in regards of checking people's identities. So it became known as the place for criminal transactions around 2010. It was the go to place for stuff like that for a while. So he was getting tons of Liberty Reserve dollars and they were piling up in his account there. Then he was using some Vietnamese money mules that he found on the dark web to send them his Liberty Reserve dollars and they'd cash it out and give him cash. And things were looking good for a.

Hugh Mingo (43:16)

Few months, but, you know, the thing is not stable because the two companies, they find out about the vulnerability, so they sat down and they also feed the vulnerability. Kind of like me and them, you know, like we've been playing the, the cat and mouse game. They fish the burden. I fired down another one. So we just keep hacking and fishing. So I got kind of tired.

Jack Rhysider (43:45)

He was getting tired of constantly trying to find new ways to stay in the system. They were getting good at detecting him and kicking him out. So he stops to think about it and he thought, you know, why struggle to maintain access when he could just become a paying user of the site? Now, Microbuild would only allow certain people to use their site. You had to be a professional investigator or a cop or in a position that you can be trusted with this data. And there's a serious vetting process. So Hugh decided why not try to act like a private investigator and get in step one, create a driver's license with a fake name.

Hugh Mingo (44:24)

At first I got the license to Google, but it didn't work. I tried to do Photoshop and stuff like that, but couldn't work out. It's not good quality.

Jack Rhysider (44:35)

Okay, that didn't work. Time for plan B. Try to impersonate someone who is allowed to have an account there.

Hugh Mingo (44:42)

So I did an OSINT to gather in on the list of emails. Address belong to Rivet investigator. And you know, when I hacked into my review and locate plus, right. I got the email address already. I got on the list already. So I used that to do phishing. I was phishing them, you know, to a malware, so I can got into the computer.

Jack Rhysider (45:20)

Wow. So the 5,000 users that he got from Microbuilt, he could see which ones were private investigators and get all those emails and also their data from the data broker to know everything about them, and then send them phishing emails. And if they click the link, he would infect their computer with malware, essentially giving him access to their computers. And when he got access, he would look around to see if he could find any identifying documents for these private investigators so he could impersonate them.

Hugh Mingo (45:50)

And one of the private investigators, I remember he was living in Michigan in the US And I got into his computer to the malware. I got all the data on his computer, including the private investigator license, even his passport, his Social Security numbers. And I got, I mean, I got everything. And back then, you know, like the people, they still got a hobby saving all the sensitive stuff on their desktop inside the spreadsheet, right? Kind of like an Excel file, storing the username and password, like sensitive information in that file. And I got that file too, you know, so I got all the information, date of birth and driver license, stuff like that. So I impersonated as him under his name. I obtained an account at Mitre Build. So I got a minor build account. Officially I was using that maybe a month or two. Sorry. Find out this is a fake account. So they shut down my account.

Jack Rhysider (47:07)

So he's realizing micro builds is giving him a lot of trouble and decides to look at another data broker to maybe register an account there. And that's when he found a data broker called CourtVentures.

Hugh Mingo (47:18)

Court ventures providing API and data assets for the people to making queries to be able to obtain the U.S. identity.

Jack Rhysider (47:29)

Oh, this is even better, he thought, if he could get API access to make queries and do searches, that's a whole lot easier to integrate into his website. They were just like the others. They had address history, criminal history, full identity data. And yet investigators, cops, fraud detection agencies and credit bureaus loved using Court Ventures to look up people's data. He found a private investigator in Singapore and was able to obtain all his details and was going to impersonate him to try to get an account at Court Ventures.

Hugh Mingo (47:59)

I got his license and I be impersonated that guy, the private investigator in Singapore. And then I use that to apply the code Venture account and I pay for them. You know, I was dealing with them like real businessmen. You know, like I say, yeah, I'm, I was, I was doing for big company, doing background check for Microsoft, Google. So I need a lot of queries every month to do background check. And they okay with that because I pay for them. And I told them, you know, I want to have a good deal. And then the CEO of that code venture company, they gave me a good deal. Like I remember like 14 cent. 14 cent for one information. So I say yes, okay, we make a business contract too. Like I filed the signature, I paid name, everything. So I sent back to him and they didn't verify anything. They just keep going, they okay, everything okay.

Jack Rhysider (49:12)

He got the account. He could do searches on people now. Good, good, he thought, but he wanted that API key. So he applied for it and a few weeks later they gave it to him. Incredible.

Hugh Mingo (49:23)

So I got the account, man. I said, oh, oh my God. I got the API asset to like almost 200 million US identity right there. And all I need to do, you know, to integrate that into my website. That's all.

Jack Rhysider (49:39)

Yeah. 200 million US citizens details were in this data broker that's like over 60% of all US citizens data. That's incredible. And at 14 cents per lookup, he could sell each of those searches for a dollar on his website. His grand plan was starting to come together.

Hugh Mingo (49:58)

So at that time, my website is still on the clear web. You know, like anybody can gain access. But most of the clients that I have is all cybercriminal around the world. And technically I didn't care whatever they been using these identity. So I just keep selling to the API of the Court Venture. And I remember every month I was making more than 120k per month USD.

Jack Rhysider (50:34)

Yeah, he really didn't care who would use the site or why. He didn't even ask. All he knew is that people liked using it to look up people and he could make a nice profit off it. So it seemed like a good business model to him. But even though he was making $120,000 a month, he still had a massive bill to pay to Court Ventures every month.

Hugh Mingo (50:51)

And I was paying for Court Venture every month from 20,000 to 35,000 USD per month. Yeah, they happy and I'm happy as well. So we work win win situation. I keep running that website for over two years and I was making more than 3 million USD by selling the US identity.

Jack Rhysider (51:23)

It makes me wonder, is any of this illegal? I mean, can you squarely point at who the victim is here in this situation? Do you know the story of Irate Joe's? It's an interesting one. So there's this US Grocery store called Trader Joe's. It's fantastic. I love it. A majority of food there at Trader Joe's is the Trader Joe's branded stuff. And people get hooked on that brand. Well, up in Vancouver, Canada, they were like begging Trader Joe's to come open a store here, but Trader Joe's refused. They're like, no, we only focus in the US we're not going international. So some guy in Vancouver is like, well, you know what? I'm going to open my own Trader Joe's in Canada. Why not? Because if they're not going to do business here, then there's probably no jurisdiction issues or harm. Should be fine. So he crosses the border into Washington state, buys a ton of Trader Joe's stuff and drives it back to Vancouver and opens up a little shop called Pirate Joe's. He charged more than Trader Joe's did because of the logistics of it. But hey, people in Vancouver were happy to get some of their favorite food items. Finally, Trader Joe's was like, hey, you can't do that. And Pirate Joe's was like, yeah, nyah. We're in Canada. Your U.S. laws don't apply here. He was right. Trader Joe's had a really hard time getting anywhere legally. But eventually they convinced a US court to force a trademark infringement on Pirate Joe's, saying the name of the store is too similar to Trader Joe's. And they're smugglers. So what did they do? Pirate Joe's dropped the P and renamed the store to Irate Joe's. And they clearly put all over their store, we are unaffiliated, unauthorized, and unafraid. Trader Joe's was furious that they stayed open and started banning them from coming into the store to buy stuff. They banned the owner, who was driving twice a week to buy $5,000 worth of groceries from Trader Joe's. Then he got his co workers to go to different Trader Joe's and try to buy stuff from there. But Trader Joe's started figuring out which stores in Washington they were visiting and buying food in the shop so they would block these other people from purchasing things. So Irate Joe's started asking their customers to help stock the store. They're like, hey, if you're going to Washington, please pick some stuff up for us at the store. And soon, dozens of people were now helping stock the shelves at Ira Joe's. I'm telling you, people really love Trader Joe's stuff. And crowdsourcing the buying was working for them. But Trader Joe's was putting more and more limits on how much people could buy in the stores that were close to Vancouver. The guy who owned Irate Joe's is like, bro, I'm your biggest customer by far. I buy more than anyone else in the store. What is your deal? We're not asking for anything special. We just want to buy what you have. But Trader Joe's kept giving them legal trouble, and eventually, Irate Joe's shut down from the expensive legal fees that they kept facing. And again, here's a situation where I wonder, who's the victim? Trader Joe's sure thought it was them. But what do you think? I mean, when I was a teenager, I used to buy things from the Dollar Store and then sell them on eBay for $5 each. If it's legal for data brokers to sell identities of US Citizens, why would it be illegal for Hugh to buy those and resell them for more? This is the part I don't get. It's apparently perfectly fine for a data broker to buy and sell identifying information on US Citizens, but it's not for Hugh. In Hugh's case, he didn't hack into the site. He didn't steal anything. He was a paying customer of Court Ventures and was paying them a lot of money for all the searches people did. And they seemed to be fine with that, happy that Hugh was their customer. So he had his little website set up and accepted payment from Liberty Reserve. And users could search Court Venture database through the API.

Hugh Mingo (55:16)

And at first that website is called the US searching.info and then eventually like supergate.info and fig me stuff like that. You know, I change in the domain like constantly to avoid like law enforcement. And I was selling more than a little more than 3 million U.S. identities during that two years from 2010 to 2012.

Jack Rhysider (55:49)

Okay, let me do the math. Okay. 3 million searches, 14 cents per search. That's $420,000 that he paid to Court Ventures. And all this, jeez, that's a lot of money Court Ventures made off him. And that was fine for him because he made over $2.5 million in profit after that. Unbelievable.

Hugh Mingo (56:11)

And during 2011, right, I dropped down the school, I didn't study and finish the university anymore because I was thinking that man was making a lot of money. Every month I was making up to 120k per month.

Interviewer (56:30)

What were you using the money for that you were getting back then?

Hugh Mingo (56:33)

It's too young, too dumb, you know. Like a lot of money I spent on stupid stuff on five star hotel and business class. Spend a lot of money online, stupid things. And I waste a lot of money for cars and luxury stuff.

Interviewer (56:53)

What kind of car did you have?

Hugh Mingo (56:56)

I was having like three different cars. Two sports cars. One of them is BMW, the convertible one and another one is a customized car, like full customer one that I don't even know that you know what kind of car is it. But like kind of like one of the. I remember I, I used that car to be in a contest for the like good customized car. And I won the price as well too because I spent so much money on that call and customize that and fine tune that car. And the other car that I have is luxury call license, right?

Interviewer (57:43)

Yeah. So what did your parents think of all this money?

Hugh Mingo (57:47)

I was lying to them, you know, I was working for International bank in the US and they hired me to protect the system and also building their website, you know, like all the lies, you know. And when I meet up with other people kind of same age, even like the people that I know on the street, they asked me, you know, why I am so rich and I lied to them, you know, because my family was a, well a wealthy family and they, they, they got everything for me, that's why. So I, I kind of lines with each other with different stories, you know. And I kind of very tired though.

Interviewer (58:34)

What were the people that were using your site? Do you Know what they were, why they were searching for people, what was the point of them paying for people searches?

Hugh Mingo (58:44)

That's good question though. The question, you know, like the, the answer for this is, at that time I didn't care much about how did they use this information. All I know, you know, maybe they use that to impersonate somebody or even like they use that to bypass the credit card transaction, authentication, whatever. That's all I know.

Jack Rhysider (59:16)

So like he said, this went on for years. He was able to automate a lot of it, so he would only do a few hours of work a week to keep it all going. Life was going great for him.

Hugh Mingo (59:25)

Eventually, Code Venture rank. They got escorted by the Experian.

Jack Rhysider (59:33)

Oh, interesting. In December 2011, Experian bought Court Ventures. Now Experian is one of the three major credit bureaus in the U.S. they create a credit score for every U.S. adult and rental places and loan agencies will check your credit score before doing business with you. Experian loved the data that Court Ventures had on people so much that they just bought it outright. I couldn't find what the purchase price was for 200 million US citizens data, but I imagine it was in the millions of dollars. Now after Experian bought Court Ventures, the Secret Service contacted Experian and was like, you know that company you just bought? Yeah. Well, we have reason to believe that they are giving data to someone who is illicitly reselling it to criminals. Experian is like, what? Say that again. Court Ventures never told them this in the trade deal. So Experian quickly shut down Hugh's account and cooperated with the Secret Service. In fact, Experian was so mad that they sued Court Ventures for not taking action on this earlier. I suspect the lawsuit was because they were misrepresenting their business in the trade deal. And so the Secret Service now had their eyes fixed on Hugh.

Hugh Mingo (60:54)

One of the court requests from the U.S. secret Service, you know, asking about the status of my account, the FAE account, and eventually they shut down my account at a code Venture.

Jack Rhysider (61:09)

They shut down his account entirely. But he had a backup plan in case this did happen. He had a second account. Not one he made, but one. He stole the password to someone else's account and he could use their account to continue to do lookups, but he no longer had that API access where he could automate it.

Hugh Mingo (61:26)

That belonged to one of the company, one of the US data broker as well too. It's called the US searchinfo.com, something like that. I don't remember. It's a long name. But anyway, this company, I got one of the account to Phishing Attack and I used that to do manually searching identity for other people who still need the service.

Jack Rhysider (61:54)

He wanted to get another API connection to Court Ventures. This hand searching stuff was just taking way too much time. So he starts emailing them, hey, how come you shut off my API connection? I need it back. But what he didn't know is that because the Secret Service were investigating him, it was them who was responding to his emails.

Hugh Mingo (62:13)

And they was making up a story that, you know, they will offer me a good API connection not only to the US identity data, but also the UK identities data. I say, well you know, it's a good business, Carly. Too good to be true. But you know, at that time the money just blind my eyes. I say okay, it look good. But the thing, you know, they, I feel something suspicious going on too. Something not right.

Jack Rhysider (62:49)

Apparently there was another guy that was doing the same thing as Hugh, also reselling data broker data. But the Secret Service caught that guy who was in the UK and that guy was assisting the Secret Service to catch other people doing the same. So that's what felt off to Hugh. He was talking to both the Secret Service, an agent named Matt o' Neill and a guy from the UK named Mark who got caught reselling identities, his name Mark.

Hugh Mingo (63:13)

He still keep communicating with me to email and even call me to, I remember to Skype back then and they say, you know, they, they want, they want me to go to the US and also go to Australia or go to Hawaii. I say no, I don't want, I don't want to go there. But Matt o' Neil and Mark, they collaborate together and they lose me to Guam.

Jack Rhysider (63:48)

They told him if he can meet them in Guam, they'll give him all the things he needs for his API access. They made up a story of why they need to meet him in person. Something like, well, the big boss really wants to meet you. You're one of our best customers and we can get the contract signed right.

Hugh Mingo (64:01)

Then and there and, and then we can open the mid party, you know, so we can have fun together. And then you can fly back to Vietnam, everything good.

Jack Rhysider (64:11)

So he decides to fly to grand Guam, which is kind of near Southeast Asia. He figures it's the closest option that they gave him and looks safe.

Hugh Mingo (64:19)

You know, I didn't do any research about Guam. I thought it's just like an island, nobody care. And I heard that some of Vietnamese people, they live in over there as well too. Maybe it's fine, you know, if any problem I will, you know, go to talk to my people asking for help. And then I bought a ticket and then I went to Guam with my sister because back then, you know, back then my English is not really well. And I went there with her together. And the moment I landed at the international airport, they escorted me to U.S. custom office. And that moment, that dry moment, you know, I. I just feel like, man, something going on, something fishy. And then they told me, sit down here, you know, we want to talk to you a little bit. And I was so nervous. I was trembling like, man, and I was shocking. I said, man, something not right. They put a stack of the paper, like I remember like maybe like 10 inches thick, very thick documents. And they told me, you know, we know about, about you. We know everything about you. Maybe more than your family knows about you. And that moment, I say, man, it's over, it's over and that's it. I feel like I was on top of the world. And right now I can't. Like I was living in hell. And that's it. They sent me to the jail in Guam after that and they sent my sister back to Vietnam. I talk with the Prosecutor and the U.S. secret Service agent. I say my sister had nothing to do with this. It's all about me. So they released my sister and I was stay in the jail in Guam for like a little more than two months. And then they sent me back to the mainland, the U.S. mainland to many different jail. They sent me to Hawaii, to Los Angeles, Nevada. They sent me to Oklahoma, New Jersey, and then New York and then New Hampshire.

Jack Rhysider (67:02)

New Hampshire is where his case was going to be tried. So that was his final destination. And he was stuck in prison through the entire legal battle. Apparently the US prosecutor who first investigated him was in New Hampshire and so that's why his trial was there. Reflecting back on how he got caught, he has a few theories. First, he blames Brian Krebs, a cybersecurity journalist who did an article that said how criminals can look up people on the dark web. And Hugh's website is listed there. And so he thinks that's how the Secret Service probably first learned about my website. And on his website he made a few mistakes. The first week of having it. He used a hosting provider, but registered it under his real name. But then he changed the registration to an anonymous name. But those past records are still visible. Second, he used to have his personal email address on the website for contact details. So these slip ups would have easily traced someone to Hugh. And I also believe that the Secret Service probably used his site, did some searches on people, and then tried to correlate that with the logs at Court Ventures to pinpoint exactly which user Hugh was using for his site. But this whole time, he wasn't sure exactly why he was arrested. He was paying for these searches in full. Where's the fraud here? Where's the crime? But it wasn't until after his arrest where he learned what people were using.

Hugh Mingo (68:19)

His site for the federal court. They told me, you know, the information that I stole and also, like, sell that to other people. They using that for tax return. That's something new to me. I never know that, you know, tax return, and then I find out what tax return, and then it's very serious.

Jack Rhysider (68:41)

What people were doing was going to Hugh's site, looking someone up, getting all their details, and then trying to file the taxes for that person. See, here in the US we pay taxes to the government all year. And typically, people overpay on their taxes, so they get a big return come tax season. So a lot of Americans get a check for maybe a few thousand dollars every year from the government because they've overpaid on their taxes. Well, criminals know this. So they file tax returns on other people and. And they put on there that they should get a $2,000 refund. And then the IRS processes the tax filing, and they look at it, and it looks legit and sends this person a $2,000 check. And when the real person goes to file their taxes, the IRS is like, oh, no, no, no. You have already filled it out. We've already sent you a check. And now suddenly there's a bunch of Americans saying, oh, no, I didn't. Give me my money. And there is a big problem. So the Secret Service was investigating this because Hughes People search engine was complicit in helping criminals defraud a lot of American citizens. And apparently there were a lot of people in New Hampshire that someone stole their tax return check.

Hugh Mingo (69:48)

And, you know, I got so much information, and then it turns kind of like thousand and thousand victims in New Hampshire.

Jack Rhysider (69:56)

Okay, there's the V word. Victim. We found a victim, the people of New Hampshire, who didn't get their tax refunds. Okay, sure, they're victims of identity theft. I'll give them that. But typically the IRS will understand and pay them anyway, essentially giving out two refund checks. So this makes the IRS the victim. But then you could say, no, it's the US Taxpayer that's the real Victim. Because this is money that's just lost. And it drives me nuts how much money the IRS loses on this every year. Like every single year, the IRS will give out billions of dollars to criminals submitting tax refund scams. And I just have to ask, irs, when are you going to take this problem seriously? You're world class at collecting our money, but terrible at distributing it to the right people. Billions of tax dollars are lost every year because a criminal asked you for money. How is this acceptable?

Interviewer (70:59)

So what were your charges? Because I have no idea what you're actually guilty of.

Hugh Mingo (71:05)

Still, yes, technically. You can read that on the US Court's records.

Jack Rhysider (71:12)

Okay, fine, I will. All right, he's charged with three items here. All three are violations of the CFAA figures, right? The first specifically says he used a data broker in a way that they didn't authorize him to use. It's against their terms of service to resell the data that you're given access to or to impersonate someone to get an account there. And he did that. He absolutely violated their terms of use. And that is what the Secret Service is saying. He's going to prison for unauthorized access, which we can guess means that he impersonated an authorized user, which is against their terms of use. You know how many of us violate the terms of use on websites? We all do all the time. Like, if you ever let someone use your Spotify or Netflix login, that's the same violation, unauthorized access. He's being charged with that sort of thing. Second item, specifically, it says he's personally gained money from violating his access. And the third item is that it was in excess of $5,000. So all three of these are CFAA violations. And it drives me nuts that if you violate a website's terms of service, it's a federal crime. I don't know why. It's not just a civil issue, a problem between you and the website. Like, why is it a federal crime? I think the site has grounds to terminate you, ban you, and probably even sue you for violating their terms of service. But prison time, I think that's just going too far. But that's how it is. It's a federal offense to violate a website's terms of use. And I'd be remiss if I didn't mention Aaron Schwartz here. Aaron was an MIT student, and because he was a student, he had access to academic research papers through a place called jstor. Well, he thought this information was so valuable to the world that he was downloading it and Publishing it for free. The world should have this academic research, not keep it exclusive only for university students. But JSTOR was pissed. They called the feds on Aaron for violating their terms of Service. And the DOJ charged him with 13 felony counts, and he was facing 35 years in prison. They told him, look, if you take a plea deal, you'll probably only do six months in prison. But he absolutely did not want to want a felony on his record. A felony for violating the terms of service. The pressure was too much for him, and Aaron killed himself. So after that, politicians were like, whoa, whoa, whoa, why does the CFAA have it written in there that unauthorized access to a website is a federal crime? People are dying over this. Just because you violated a website's terms of use should not be a federal crime. And so Aaron's law got proposed, which asks to change the CFAA to stop saying that a terms of use violation is a federal crime. But sadly, the law didn't get passed. Can you tell I hate the cfaa?

Interviewer (74:10)

See here, I'm upset about this because first of all, these data brokers are collecting data on us without our permission. And so there should be. They should be the ones that are doing illegal things. Second of all, they're selling this data for $0.14 per lookup. You're selling for $1 per lookup. Yeah. So it's. The only real thing here is that you're saying, hey, I'm just up. I'm doing an upcharge for this and giving you access to more people. It's not really stolen data. It's actually paying for the data as you're using it.

Jack Rhysider (74:47)

And.

Interviewer (74:49)

You'Re right, the, the unauthorized access is a CFAA violation. And I can see them saying that, but in my. I'm just so frustrated about this because you didn't do any money laundering in the US So for them to say you did money laundering there, it's not true. You did that in right now, Vietnam.

Hugh Mingo (75:08)

Right.

Interviewer (75:09)

I'm just frustrated on your behalf.

Hugh Mingo (75:12)

I know. But the thing is, what is it though? That's how it works. And also the damage amount that they put in my case is very huge, though, like over 60 million USD.

Jack Rhysider (75:28)

Prosecutors were saying he caused $60 million in damage. And of course they didn't explain how they came to that number. It's kind of impossible to look through 3 million lookups on Hughes site and then connect that to what identity theft crimes happened for those people and then add up how much money was earned from that. And anyway, all that was secondhand none of that stolen money was done by Hugh, so they likely just made up some number. But he's not the one who did the identity theft. He's not the one who did tax fraud scams. So it's maddening that they're saying he's the one who's responsible for all that damage. Like, Hugh is a criminal. He is the bad guy here.

Interviewer (76:08)

Okay?

Jack Rhysider (76:08)

I'm not trying to say he should have gotten off. He absolutely did break the law. What I'm saying is that this is the wrong law to be charging him with, because I hate when the CFAA is used like that. They tried to say he was also in trouble for money laundering, but he didn't do any of his money laundering in the US So I'm not sure if that one even flies. But, like, none of his charges were for any of the credit cards he stole or drained. All those sites that he hacked into back then. There's nothing about all the concert tickets that he bough and then essentially scammed all those people. Like, those are easy charges to slap him with, yet they're completely absent here. There is a law around identity theft, but I think it would be hilarious if they charged him with that, since that's the whole business model of what data brokers do already, right? They work every day to grab as many identities as they can without anybody's permission and then sell them. And not only that, he didn't steal the identities, he paid for them. So the theft part would be in question too. I think the proper crime here that they probably should have charged him with is that he was knowingly helping criminals conduct crimes, right? Like aiding and abetting and conspiracy, that sort of thing. Hugh knew his site was used by criminals, and they were his favorite customers because they would pay for tons of searches. So he was catering to them, making it easier and better for them to use his site. So while he didn't do any of the tax fraud himself, he did help a lot of people do it. But he wasn't being charged with aiding and abetting. He was being charged with violating the terms of service of a data broker where he was impersonating someone else to get an account there. But the thing is, the Feds would have a much harder time proving his site was intended for criminal use compared to simply giving him a CFAA violation, which is easy to convict someone of. Like I said, we all violate the CFAA all day, every day. So in my opinion, the feds charged him with the wrong crime because of the almost guaranteed win for Them, as opposed to charging him with the right crime and then struggling to find evidence to prove that he did that. And by the way, while the Fed said that he caused $60 million in damage, nobody was asking for restitution there. None of the data brokers were saying he caused them damage. So if he did do all that damage, find that victim and bring them into the case. Because here's the thing, I'm looking at the indictment and there's not a single company name here or victim name listed at all. Of course not, because the data brokers want to hide from you. So the only thing listed there is company A headquartered in New Jersey. And it said he did an SQL injection on company A. Well, by doing a little bit of research, it's kind of easy to figure out that the data broker in New Jersey that they're talking about is US infosearch, which Hugh did in fact steal credentials and use that site, but not much at all. I mean, it was such a small blip in his story that it's hardly worth mentioning yet. That's the company that was saying he got unauthorized access to. But here's the thing, here's how it all connects. Court Ventures was partnered with US InfoSearch. If you are a paid Court Ventures user and you look someone up, they had a connection to US InfoSearch, so you'd get results from them too. Now, I'm just connecting the dots here, but that sounds like to me that Court Ventures was reselling data broker information that they got from US Infosearch. Like surely whatever deal they had with US infosearch, they were selling that data for a higher price to their own customers. Right. You see my point? This story is pretty bizarre. So you could say this company listed in the indictment, US InfoSearch, was the back end and provided data to Court Ventures. And it's US Info Search that the US Government is saying Hugh got unauthorized access to and profited off that access.

Interviewer (79:59)

You say the victims were the people who got their tax fraud or whatever stolen, but I really think the victims are the people you were stealing from. Right. Locate plus micro built. And I think those are the people you were robbing or attacking. And I'm surprised they were they part of the case at all. Did they come and, and testify against you or, or give evidence?

Hugh Mingo (80:30)

No, no, I don't. I didn't see anybody from this company. Yeah.

Interviewer (80:37)

But I can't. I just. Did you have a good lawyer?

Hugh Mingo (80:40)

I. I pay for the lawyer. Like, I spend like almost more than I think up to 700 cake.

Jack Rhysider (80:48)

Wow.

Hugh Mingo (80:50)

Yeah. For a lawyer.

Interviewer (80:52)

Because I would have fought to say, yeah, you're saying that he caused $60 million in damage. However, he did not actually do any of that damage. He just gave the information to someone else and someone else did the damage. He never did a tax fraud. So you can't say he's the one who did tax fraud. It's like if I sell you a lighter and then you take that lighter and you burn a building down with the light, I'm not in trouble for selling you the lighter. The person who burned the building down is not true.

Hugh Mingo (81:26)

But, but you know, back then, you know, like a lot of people told me the same thing, you know, I shouldn't keep, you know, I shouldn't hire, I shouldn't hire a lawyer. I just keep that money. Yeah, but you know, like my family, you know, they so worried and they just look up on the Internet, you know, oh yeah, this is good lion, like good, good, good rating, like five star rating, international lawyer, whatever in New Hampshire, you know, like professional one. And yes, that's, that's what happened. I remember like every time the lawyers and his team meet me up, like every, every time like that it cost me like 5 to 10,000 USD and an email I sent to him on the other lawyer team, like it cost me like 2 or 300 USD for one email.

Interviewer (82:25)

Lawyers are so, so expensive.

Hugh Mingo (82:28)

I know it's very expensive, but you know, it's Y Z, you know, easy money, easy go. So I'm for real, you know, I, I don't really complain about it like, because end up at the end of the day, it's kind of dirty money, you know.

Jack Rhysider (82:44)

Another thing that really bugs me about this whole thing is neither Microbuilt Locate plus or Court Ventures ever told their victims that there was a database breach.

Hugh Mingo (82:54)

No, they never say even until now. I searched about them and they never mentioned anything about it even though it's really happened to them.

Jack Rhysider (83:04)

What scrumbags. I just, I have no sympathy for these data brokers. I absolutely hate them. They take my data without consent. I can't even opt out if I want. They don't protect it. And when it's lost in a data breach, they don't even have the decency to tell me that my data that they gathered on me got loose. Hugh was desperately trying to get his lawyer to help him. But here's the thing. There's a 99% conviction rate when the feds slap you with a CFAA violation in all the cases of the Feds accusing someone of a CFAA violation. I've only been able to find two or three cases that the defendant actually won. The rest were people pleading guilty or found guilty in trial. So the chances of Hugh getting off were slim to none. He tried to fight it, but everything they tried just kept getting denied by the courts. And after a few years of fighting, you got tired and was running low on cash.

Hugh Mingo (84:01)

You know, my lawyers explained to me, you know, I may lose the trial. I may get up to like, 45 years in federal prison.

Interviewer (84:10)

45 years.

Hugh Mingo (84:11)

And I got so. Right. I got so scared. All the charges, like, all combined together, not only from New Hampshire. Right. But also from the. From New Jersey as well, too. So I got two, Two, two criminal charges from New Hampshire and New Jersey. So they all combined together and they, they say up to like 45 years if I lose. So. So my family and me was so scared. So we play kind of. We play bleed deals. And, yeah, I plead guilty. During the summertime of 2015.

Interviewer (84:58)

Guilty.

Jack Rhysider (84:59)

Guilty of doing $60 million in damage.

Interviewer (85:03)

When your sentence came up or during a plea deal, did you offer to give up your money to reduce the sentence? How did that go?

Hugh Mingo (85:13)

Oh, yeah, my family also asked them. You know, like, they want to give back all the money, but they say, no, they don't need that. Yeah.

Jack Rhysider (85:26)

Really?

Hugh Mingo (85:27)

Right. They don't need money, they don't need any assets, and then they don't need anything. So it's. What, It's. What is it? So. But the thing, you know, I spent a lot of money on lawyer.

Interviewer (85:41)

Yeah.

Hugh Mingo (85:41)

On, you know, like during my incarceration as well, too, you know, like for foods and medication and stuff like that.

Interviewer (85:50)

So they didn't. They didn't take any of your money or property or cars or anything?

Hugh Mingo (85:56)

No, they didn't care. They say they don't need that.

Interviewer (86:00)

They just want you.

Hugh Mingo (86:02)

They don't want me.

Jack Rhysider (86:04)

After pleading guilty, he was sentenced to 13 years in prison. 13 years for getting access to data broker data, which he wasn't authorized to access at this point. I'm wondering, what if instead of Hugh accessing data broker data to sell that, what if he just made his own data broker business, you know, for anyone to access? Would that be illegal? Like, if Hugh copied all the data out of the phone book and all the court records and the county records and scraped some LinkedIn data to build complete profiles on millions of people? That's all public information. Right. And it wouldn't have been that hard for him to do because he's A clever guy. Are there laws that he would be breaking if he sold that data? I guess what I'm wondering is, are there laws that data brokers have to follow? Well, I had to stop and look into that. Basically, yes. There are data broker laws, and often states regulate them. And the gist of the laws is that data brokers have to prove that they aren't selling their data to criminals. I mean, think about all the dangerous household things we probably all have, right? Box cutters, a hammer, matches, lighters, gasoline, bleach. These are all things that can cause a lot of harm and destruction, right? Yep. When you go to buy them, the store doesn't verify your intent. They're not like, hey, what are you going to do with that box cutter? You have to prove to us that you're going to put it to good use. Yet that's how data brokers treat their customers. Their customers have to show proof that they have a legitimate reason to search their data, and they're on the approved list of okay people. Apparently, it's not good enough for data brokers just to say, hey, you can't use this for malicious intent. They have to verify every single user to try to prevent any of them from using the data maliciously. So the approved list is people like law enforcement, marketers, investigators, loan agencies, those sort of people. And that distinction is very fascinating to me. Data brokers are legal, but only if they sell their data to an exclusive group of people. And I don't like that, not one bit. I mean, of course I don't like that there's a business out there buying and selling my personal information. That's gross. Go get a real job. All right, But I think I might have a hot take here. I don't like that they only sell their data to a certain group of people. I wish they sold it to anyone. Only people in some exclusive club can look up my data. A club that I'm not allowed in. I mean, the reason why states regulate data brokers is because if anyone could search those databases, then we'd all be flooded with scammers and identity thieves and stalkers. But to me, that's not the problem. To me, the problem is, one, I don't even know how much data those data brokers have on me. And two, I don't even know who has my data. Like, if I could somehow feel the sting and pain every time my privacy is lost, I would take my privacy way more seriously. So, like, I know there's probably apps on my phone that are sending real Time location data right now to a data broker. And if someone took that data and saw where I was and came to my house and knocked on my door, of course I wouldn't answer because I.

Interviewer (89:16)

Never answer my door.

Jack Rhysider (89:17)

But I just imagine them continually pounding on the door like, hey, I know you're home. Answer the door. Your phone is sending me real time location data to me right now. I'd immediately be like, wait, what app is sending you my location data? And I think having a scary moment like that would absolutely force me to uninstall apps that are tracking me. So my hot take is that stalkers aren't the problem here. It's the obsessive collection of my data that's the problem. If data brokers opened themselves up to let anyone search their site, we'd all be way more private and secure because we'd all be taking huge steps into protecting our privacy way more seriously. When we don't know what's out there, we don't think it's a problem, and they're trying to hide that from us. Of course, the data brokers say they take our privacy seriously and security is their top priority. Yeah, well, until it isn't. Hugh got into four different data brokers all by himself, and it didn't look like it was that hard for him to do. Not only that, there's news story after news story of data brokers getting hacked into. The biggest one is when Equifax got breached. If the data brokers were so worried about their data getting into the wrong hands like scammers and stalkers, then don't collect it at all. Because if there's one thing I've learned about doing over 160 episodes on hacking is that you will fail at securing your network and data at some point. There is no safe way to collect and store my personal data, much less sell it. The regulators think forcing data brokers to vet every user is stopping criminals from accessing the data. But clearly criminals are in fact accessing the data. Since when do criminals follow regulations? So really, all the regulations are doing is stopping people like you and me, normal citizens, from being able to see what's in there. There are so few people who truly understand what is happening in this data broker world, since they like to operate in the dark, in the shadows of the Internet, and they work hard to keep everyone else in the dark. I want to believe that someday privacy will be in style again and we just need enough cool people to tell us it's worth wanting. Because data brokers has a bad aesthetic. Surveillance is sterile. It's cold, gray and depressing. There's nothing cool or romantic or aspirational about being trackable down to when you're peeing or having sex or eating or sleeping. Yet these data brokers are feverishly trying to know all of that about you and build a complete behavior profile on you and then selling that to millions of people who are on the allowed list. I hope someday wanting privacy doesn't make you a weirdo, but it makes you cool. Hugh was sentenced in 2015, which meant he'd get out in 2026, because he already spent two years in prison by that point. And it was there in the New Hampshire prison where he learned English and studied all kinds of things. The police asked if he could share his story with others to teach them how the darknet works and all that. So he cooperated and told his story and was trying to self rehabilitate to get out early. But when he was in prison, he heard some news which really crushed him. That Liberty Reserve website was seized by the Feds and the owner was caught.

Hugh Mingo (92:46)

I heard on the news that he got caught.

Jack Rhysider (92:49)

And the thing is, Q had a lot of money still in his Liberty Reserve account. But when the Fed seized the site, they seized all that money too.

Interviewer (92:57)

How much did you lose there?

Hugh Mingo (93:00)

I was saving up over there, like a little more than 300k. Wow. I was thinking, man, I will go home and they will get that money. But you know, the moment I heard on the news during my incarceration time in 2014 or 15, and I say, man, it's over, no more money.

Jack Rhysider (93:27)

So he continued serving his prison sentence, staying out of trouble and because he had good behavior, they let him out early. After serving seven years in prison, they let him out in 2020. There was a lot of complications getting out of prison in the middle of a pandemic. So it took him eight months to get home after he was released, but he eventually made it back to Vietnam.

Interviewer (93:49)

When you got home in 2020, did you have money remaining from all this?

Hugh Mingo (93:55)

I still got a little more than 50,000 USD and one apartment.

Jack Rhysider (94:05)

When he got home, he got a job with the Vietnamese government to help with their national cyber defense.

Hugh Mingo (94:12)

They so called the ncsc, the National Cybersecurity center and been working there for like four years. I just left NCSE just five months ago because, you know, like the government, they really structured the agency and that's why I left ncsc. And right now I just trying to do mainly focusing on cyber crime investigation and I love hunting cyber criminal technically and to the day I got home. Until now I have been law enforcement in Vietnam and other countries as well to arrest more than 200 cybercriminals.

Jack Rhysider (95:05)

He says he also enjoys helping victims of scams and identity theft by educating them on what options they have and helping them regain control of their life and use the law to help them out. In fact, it sounds to me that Hugh feels pretty bad for all the people who got scammed from his service.

Hugh Mingo (95:19)

I feel like, you know, I owe a lot to the people, especially the people in the us. I kind of hurt and harmed so many people's lives and I kind of always feel ashamed about it.

Jack Rhysider (95:36)

So he wants to be clear that he is sorry for anyone whose identity got stolen and lost money from his website. He truly feels bad about it and has apologized publicly multiple times and wants to try to do what he can to correct the wrongs he's done, which is why he's helping victims now and works with law enforcement to catch cybercriminals in his home country. Thank you so much to human no for telling us this incredible story. This one was wild. I had to stop and think like multiple times while making it and I love a good story that puts me in deep thought like that and I hope it did for you too. I recently read a book about data brokers which was extremely eye opening and I encourage you all to read it. It's called Means of Control by Byron Tao. Check it out, it's a total page turner. You will not see the world the same again after that. Don't forget you could pick up some really cool shirts at a shop. I guarantee you will find a shirt you love there. Go to shop.darknetdiaries.com this episode is created by me, the hack street boy himself, Jack Resider. Our editor is the hash slashing tristanledger mixing by proximity sound and our intro music by the mysterious Breakmaster Cylinder. They say if you don't pay for it then you're the product. But what if you pay a data broker to look up your own data? What then?

Hugh Mingo (97:03)

Hmm.

Jack Rhysider (97:04)

This is Darknet Diaries.